GDPR is a journey not a destination

It’s not possible to be GDPR (General Data Protection Regulation) compliant, said Ian West, speaking at the latest GDPR summit London, so what can you do?

“It’s about creating a defensible position,” said Ian West, Director of Digital Information, Project One. He explained: “GDPR is a brutally simple concept, but is hideously complex to comply with.” It’s when you drill down and look at the detail that the complications emerge.

He gave as an example JD Wetherspoons, it deleted all its data, and got a fair ribbing in the press. But the company took a bold step, it had no idea how they got their data. Tongue in check, Ian gave the example of offering a ‘pint of Stella’ in exchange for permission to use a customer’s data. If the offer was given to a customer as they entered the pub, maybe that’s okay, make the offer after 11 pints, then maybe the permission was not gained fairly. That takes us to a key point about GDPR, permission may not be sufficient justification to use data – that’s why many companies are emphasising legitimate interests instead, GDPR regulations do allow the use of data under the legitimate interests principle – although, as ever, the detail reveals complexity.

So its complex, you will never be 100 per cent GDPR compliant, instead you need to show that you have taken the rights steps to create a position such that in the event of an investigation by the regulators you can show you take privacy seriously and took all reasonable steps to comply with GDPR – “a defensible position.”

Hammering his point home, Ian said that GDPR is the biggest change management problem since the year 2000, but more so – the Year 2000 bug was an IT problem – GDPR is an enterprise challenge.

And if you don’t have a reason to keep data, “get rid of it,” he said.

And yet, Ian says “GDPR is a massive opportunity. If you see GDPR as a challenge you will see it as a cost,” not interesting, not exciting just one of those things that has to be done.

But Ian argued that GDPR provides an opportunity to build trust with customers and steal a march on competitors. See it in those terms and GDPR becomes something people care about.

GDPR also has a requirement of privacy by design – meaning privacy must be a core consideration when creating a product not an after-thought. But to get an enterprise-wide GDPR mindset, you need to get staff focused on the opportunity.

GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.